potentially dangerous Request.Form value

[shahab]

I want to update a textbox and also change the HTML elements.



Error:
A potentially dangerous Request.Form value was detected from the client (TextBox1="<br> <h1> a <h1/>").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TextBox1="<br> <h1> a <h1/>").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

Please help me.

 

[sharpcoder]

Hi,
Yes, that's true. ASP.NET automatically checks if your URL string contains any dangerous values, such as: "<br> <h1> a <h1/>" (HTML code).

Turn off this aut. detection and check the input by yourself.

 

[shahab]

1-Totally is it a secure method?
2->
Where?
How?
Many thnaks.

 

[PlausiblyDamp]

The error message tells you what you need to do. Open the page in the HTML view and at the top there will be a line that starts

<@Page

and ends with

%>

simply add validateRequest=false before the %> to turn off the automatic checking.

Be aware though that this can allow people to enter potentially malicious code into the textboxes and as such your code behind should really check the values entered before using them.

Out of interest is there a reason why you want people to be able to enter HTML tags into your form?

 

[Bucky]

If you would like to let this error occur but handle it more
gracefully (by redirecting the user to an "error" page or something),
add code in Application_Error event of the Global.asax file.
You can check if the error is this error by calling Server.GetLastError().

 

[shahab]

How can I change the text properties like being bold or italic or insert image and ...
This was the real reason to put HTML elements in textbox

 

[PlausiblyDamp]

from the server side code you could use

TextBox1.Font.Bold = True

or you may want to investigae CSS http://www.w3schools.com/css/default.asp

 

[Robby]

shahab, if this form/page is in a private secured part of your web site then following PlausiblyDamp's suggestion of setting validateRequest to false would be viable.

 

[shahab]

Dear friends,
Look at the edit button beside this form.
Then click it ,
Hello!!!
I would like perform diffrent edits on the texts which users had typede on it.
1-Then I made a database
2-I read the info in a textbox and put an edit button for users to
click it and then they will be able to edit the text.
in this forum we have:
Explorer user prompt + Enter the text to be formatted
A Method that really is limited!
but the capability that I dream is:
User chooses the text in text box(Highlight it) ,then click a button therefore,
he would have a bold or Italic or smallertext on the final show(Scenario)
thanks

 

[Robby]

That could be done using JavaScript except that a textbox cannot display formatted text, you would need to display the end result in a Label or Div

 

[shahab]

Would you please introduce some key words or articles to
investigate more?
Many thanks

 

[Dominique]

similar Error

I am getting the same type of error in integrated enviornment. But if i run the same application from my local enviornment it is working fine. PLease help

 

[ashutosh9910]

Hi all,

Today I faced the same problem and hense decided to revoke the old thread.
Now the problem is

Case 1: I am using ASP.NET 1.0 (as my site is developed on the same.)
Here this error never occurs and so there is no need of having validate request tag in the page directive.

Case 2: The server I am hosting it on has ASP.NET 1.1
There it raises this error and hense I am required to put the tag for validateRequest = False. But putting this tag raises the error in ASP.NET 1.0 env.

Now the problem is I want to make it generic so that it could be run on either versions. AND YES I NEED THOSE SCRIPTS TO BE PASSED FROM CLIENT TO SERVER.

Is there any way I can achieve both??

Thanks in advance.
Ashutosh

 

[Eduardo Lorenzo]

If you would like to let this error occur but handle it more
gracefully (by redirecting the user to an "error" page or something),
add code in Application_Error event of the Global.asax file.
You can check if the error is this error by calling Server.GetLastError().

I like this approach.. the "error" page can be done in the HTML <page %> tag.

How do I do this in the Global.asax?